Live Free or Die
Banned
Eh, its MS. the gaming media and people here on gaf will give them a pass on this. Just like they did with the rrod issue.
Lol, holy shit. You think Microsoft should shut down XBL, a userbase of 40+ million people, just because an extremely small (small enough to not get noticed or garner care from the gaming media) percentage are being phished? You think Sony would do the same?
For all we know, all that CC info would have been stolen (instead of a small, insignificant amount that was reported here and there) and Sony would be filing for bankruptcy from all the lawsuits and money owed (they are already in a bad position in several divisions, this would have been an awful nightmare.
Eh, its MS. the gaming media and people here on gaf will give them a pass on this. Just like they did with the rrod issue.
Listen, I don't know how else to explain this to you. The people are not getting phished.
Just a question, is the class action waive legal? I mean, is this within the law or is it null and void in law?
I'm asking because here, you can not EVER sign away certain consumer rights.
How do you know? Your secret contacts inside MS? This is very likely phishing attacks nothing more. You really seem to want it to be more.
True, I think it's pathetic people have to be afraid of this happening to them on what's supposed to be a secure service, worst of all they can't take off their info to avoid the issue.Eh, its MS. the gaming media and people here on gaf will give them a pass on this. Just like they did with the rrod issue.
That's really, really wrong.
How do you know? Your secret contacts inside MS? This is very likely phishing attacks nothing more. You really seem to want it to be more.
Because I know what a phishing attack is, and I know I have not been phished. I fucking work in security. I do not click ANYTHING. I browse from a VM almost 100% of the time. The account I got hacked on had not been used in over 18 months (meaning I also had not used my Xbox in over 18 months), and the Windows Live Id was used exclusively for XBL and nothing else, and had a unique password that was very strong. I did not even know what the password was because I store it in KeePass and it's a string of garbage that there's no way I could remember. So please fucking explain to me how I could have been phished.
There's a way to cancel it on the Paypal website, someone posted a way in a previous thread about this.Still can't remove my Paypal via xbox.com. Remove link is broken.
For all we know, every single account in the world is already hacked, but its a very small number of people doing it and then selling the accounts, in which case new reports of hacks are limited by how fast buyers can turn around the fifa scam process. If this is the case, the fifa guys arent hacking anything, theyre just buying hacked accounts which means they need to recover their investment, which is where the 1-2 month period between attacks comed in
This has always been what I don't understand about people saying "Oh, it's just social engineering/phishing."
How could someone hack an account like this via social engineering?
Wouldn't "social engineering" cover someone tricking MS support into changing the pass?
This has always been what I don't understand about people saying "Oh, it's just social engineering/phishing."
How could someone hack an account like this via social engineering?
Because I know what a phishing attack is, and I know I have not been phished. I fucking work in security. I do not click ANYTHING. I browse from a VM almost 100% of the time. The account I got hacked on had not been used in over 18 months (meaning I also had not used my Xbox in over 18 months), and the Windows Live Id was used exclusively for XBL and nothing else, and had a unique password that was very strong. I did not even know what the password was because I store it in KeePass and it's a string of garbage that there's no way I could remember. So please fucking explain to me how I could have been phished.
I'll agree this is theoretically possible (if improbable in my eyes) but if a hacker had access to potentially every Windows Live ID in existence, wouldn't they be capable of far more damage than what we appear to be seeing?
Wouldn't "social engineering" cover someone tricking MS support into changing the pass?
I'll agree this is theoretically possible (if improbable in my eyes) but if a hacker had access to potentially every Windows Live ID in existence, wouldn't they be capable of far more damage than what we appear to be seeing?
I'll agree this is theoretically possible (if improbable in my eyes) but if a hacker had access to potentially every Windows Live ID in existence, wouldn't they be capable of far more damage than what we appear to be seeing?
I suppose it takes time to list the compromised account on auction sites, and then facilitate the transfer of it. That's your likely bottleneck right there.
This has always been what I don't understand about people saying "Oh, it's just social engineering/phishing."
How could someone hack an account like this via social engineering/phishing? Sure, most people aren't very security aware, but we've heard multiple reports of people who were very security aware also having their accounts hijacked.
I'll agree this is theoretically possible (if improbable in my eyes) but if a hacker had access to potentially every Windows Live ID in existence, wouldn't they be capable of far more damage than what we appear to be seeing?
All the console wars political bullshit that goes on in these threads make them completely useless. I can't read this thread and collect any useful information because both sides have such obvious agendas.
It's been suggested that the weak link could be via Microsoft Support, i.e. the thief calls MS Support pretending to be the owner of the account they're trying to steal. They either research the account enough beforehand to have enough details to fool the support rep into giving them access or they're able to glean enough new info about the account that they can try again on a new service rep which they're likely to get on a subsequent call. Nobody knows for sure currently.
So this would mean that the hackers are actually looking up individual people, reading through their facebooks/google +/myspace etc. to figure out birthdays, pet names, addresses, whatever, then calling Microsoft? Wouldn't that be incredibly time intensive and easy to spot?
And even if that is happening, wouldn't that mean the passwords are getting reset? But a lot of people's passwords aren't getting reset.
Please find me one company on the planet that will read your damn password to you over the phone. Fuck im getting sick of this argument, you honestly think XBL password is stored in plaintext? That would be the biggest story since Watergate
Please find me one company on the planet that will read your damn password to you over the phone. Fuck im getting sick of this argument, you honestly think XBL password is stored in plaintext? That would be the biggest story since Watergate
It's been suggested that the weak link could be via Microsoft Support, i.e. the thief calls MS Support pretending to be the owner of the account they're trying to steal. They either research the account enough beforehand to have enough details to fool the support rep into giving them access or they're able to glean enough new info about the account that they can try again on a new service rep which they're likely to get on a subsequent call. Nobody knows for sure currently.
Where did I once say the password itself would be read over the phone?
Where did I once say the password itself would be read over the phone?
Hey, if you are right then we should see this thing explode soon but I dont think so. Not worried at all.
They (or your bank) will reimburse you of any charges on your Credit Card or MS Points balance.They are the ones who after being notified an account is being used fraudulently, continue allowing that account to buy stuff and steal money from the legitimate owner. I actually think this is the main point of the OP's linked story. The woman contacted Microsoft immediately and said "I did not buy those things", Microsoft said okay we are locking your account, and then continued to accept money from the account even though they were already notified it was fraudulent. Should be illegal, you shouldn't be allowed to take the money after being informed the purchases are fraudulent.
If you have so many certainty about the information about how this is done, why don't you contact the press and tell everybody how it's done, and provide some proof? This "i can't tell you how, but believe me, I know it's not phishing!" shit is not cutting it anymore.Listen, I don't know how else to explain this to you. The people are not getting phished.
Xbox Live has expanded into many different countries, and with that, its call-centers have had to be installed in different locations to reach people across the globe. Of course this is done by outsourcing these local operations to third parties, who hire peons for the least possible wages.
These people have access to account details and can retrieve them en masse by just checking the database. These details usually can be used to answer secret questions on different services, including xbox live itself.
Please read like, oh idk, 2-3 posts above yours. You do not just look in a database and read a password off. End of discussion
I'm not sure how likely that'd be, but if it was the case, the hackers are certainly doing more with it than they did with PSN.So it can't be either phishing/social engineering or mystery hack. The latter of which implies XBL has been totally compromised for almost three years but the hackers aren't doing much with it. That doesn't make sense so there must be some fourth exploit no one has figured out yet.
are only accounts with Paypal tied getting hacked? If so that could be the weak link.
To be fair Sony had sensitive information in plain text. I'm not defending his point but just sayin'.
This is 100% what happened to me
on 12/31 I woke up with 5 paypal receipts in my inbox that were all from xbl, I knew immediately what had happened, by the time I got into my xbl account there were 16 purchases for over $700
I changed all my xbl info, suprised whoever hacked it didnt to that first, called microsoft, called paypal, called my local bank since the charges had spilled over onto that account as well. Got it all locked down. My bank didnt even see the charges yet but I told them that they were coming. The bank assured me they would take care of it and not let the charges go thought and paypal canceled my billing agreement with microsoft. Low and behold the bank let all the charges go through and hit me with 200 bucks of overdraft fees. I am working to get things resolved with my bank but...
A few days later I turned on my xbox to find it auto logged into my account. It hadnt been shut down by microsoft at all even though I got an email confirming it had been temporarily disabled at my request. I checked a few things because I suspected what was happening. I knew since they didnt actually still have my account they must have attempted to funnel the points to another account. Sure enough there were 2 accounds based in Europe that were brand new, never been played on, that were on my friends list that I sure as shit didnt put there. I think the accounts have already been sold since one was playing forza last night and one played some xbl game this morning.
I literally laid out for microsoft exactly what happened both before and after it actually happened and I am going to have to wait and deal with all this shit with paypal and my bank and not have my xbl account for up to 6 weeks. May be a blessing in disguise with the semester starting soon but I was stranded on new years eve in another city with most of my electronic funds completely locked out because of this bullshit
M$ get your shit together or this will blow up bigger than Sony's situation ever did
tl;dr - acct hacked, points xfered to dummy euro accounts
They (or your bank) will reimburse you of any charges on your Credit Card or MS Points balance.
Why would you care? The woman specifically said to me that I HAD TO cancel my Credit Card, because that's what's used as the main proof of account stolen. The charges are then taken care and I'm either never charged for it by the CC company or i'm later refunded (which, yes, takes much more time).
What "sensitive" information?
And if they do... that is horrible security and MS should absolutely be held accountable.